Analyzing the Compromise - without Going Hungry

reportillegal.png


It's 4:55 PM on a Friday and you are looking forward to an enjoyable dinner with your family. Your Blackberry starts buzzing from across your desk while your inbox starts filling up with alerts from your SecurityCenter along with frantic emails from Human Resources. It seems a disgruntled employee named Jack Black quit today and nobody remembered to tell the IT group to disable his accounts until after important files started disappearing. Suddenly, you are stuck in Incident Response mode, gathering data on the user's activities. Do you cancel your reservations?

Fortunately, you have deployed Tenable Network Security's Unified Security Monitoring products, and have a wide array of resources[1] at hand to streamline the response process. These resources include SecurityCenter, the Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). At a high level, what can these resources do for you?

SecurityCenter

SecurityCenter provides a unified view of both vulnerability and event data along with the alerting, ticketing and reporting required for thorough user forensics.

Passive Vulnerability Scanner

PVS not only tracks vulnerabilities, but logs user and network activities detected in real-time on the wire. These activities include:

  1. Installation and operation of non-compliant software (e.g., Kazaa, BearShare, keyloggers, LogMeIn, etc.)
  2. Transfer of PII (e.g., personally identifiable information such as SSNs, credit cards, medical insurance claims, etc.)
  3. Aberrant behavior (e.g., suspicious SQL commands, worm activity, shell detection, etc.)

Log Correlation Engine

The LCE is an excellent log aggregation and vulnerability correlation tool that also detects the following user-related activity (and more):

  1. New system users and all activity associated with that user
  2. Brute force password guessing
  3. Invalid user login attempts
  4. Successful logins after multiple failures
  5. Suspicious activity, such as network scans, proxy access and long TCP sessions with unusually high file transfer rates

The Hack

To begin the analysis of the day's events, you login to SecurityCenter and start with the default high-level view of recent normalized event activity. Immediately, you notice a spike of interesting activity today between 10:00 and 11:45 AM. When you hover over the event spikes, you can see the approximate period of the anomalous activity:

spikes_sm.png

Click for larger image

You then tighten the time criteria and create a filter based on the string “jblack” to see if these events are related to the now ex-employee's activities:

SC-AlertsEvents_sm.png

Click for larger image

Yep!! The output below shows that several interesting events occurred when Jack was logged into one or more systems.

SeveralEventsLogged_sm.png

Click for larger image

You then change views to drill down into the raw syslog data. As shown in the display below, data sources include Windows process accounting (event viewer logs) and passive network traffic analysis. In addition, many of the other logs shown later were received via real-time syslog from the PVS: Note: In the syslog displays below, the actual time of the event is indicated in the syslog itself. The event time (left column) typically is slightly later and indicates the time when the LCE received and processed the event.

LCEReceived_sm.png

Click for larger image

This aggregation of event data makes the output much more useful and credible than just IDS events, which occur at a single point in time and typically from a single source type. With that being said, the LCE can also receive events from IDS to further correlate the data if desired. A closer analysis of the time stamps above reveals that the following actions took place:

Feb 17 10:00:18 Windows system accounting shows that Jack logged in over RDP:

LoggedoverRDP_sm.png

Click for larger image

Feb 17 10:01:01 Tenable's event normalization shows that Jack initiated a netcat listener for the first time:

NetcatLIstener_sm.png

Click for larger image

Feb 17 10:01:10 Jack disconnected from RDP leaving the netcat listener running. In this screen capture, the "Client Name" and "Client Address" fields are the actual originating hostname and IP address of the attacker:

leftnetcastrunning_sm.png

Click for larger image

Feb 17 11:37:41 Jack logged in to his newly created backdoor:

NewBackdoor_sm.png

Click for larger image

Feb 17 11:38:29 to 11:38:41 Jack initiated a FTP session with a new remote host to download suspicious files (porn!!) from the CEO's IP address:

CEOIPaddress_sm.png

Click for larger image

Feb 17 11:39:07 Next Jack removed several confidential files from the system he was logged into:

ConfidFiles_sm.png

Click for larger image

Feb 17 11:39:36 Jack disconnected from his netcat session:

DisconnectNetCat_sm.png

Click for larger image

You now have a solid view of what happened from start to finish, as well as how and when it happened. Using the same time frame and parameters searched above, a HR-friendly PDF report can be created and sent to all interested parties. In addition, automated alerts and tickets can be created based on these events to allow for instant analysis of events – as they happen.

Conclusion

This simple and powerful analysis took only a short time to perform and included a complete view of passive network activity analysis, Windows event viewer logs and statistical log analysis – all in one location. Since these discrete sources correlate with each other, a more compelling forensic report can be developed. There are three important points to take away from this scenario:

  1. Tenable's enterprise products provide rapid and robust user tracking, analysis and reporting of system compromises.
  2. Multiple sources of data were consolidated in a way that made forensics more complete and easier to understand. Events that would have been missed - had either passive or log data been missing - filled the forensic void, leaving no doubt in the analyst's mind what really happened.
  3. If desired, any one of the logs or events above could have been created as a trigger for an automated alert and trouble ticket. This would have allowed the administrator to catch the attacker in action and prevent further compromise from happening.

To wrap things up, the weekend was not shot after all, you received an “attaboy” from the CEO the following day for taking care of the situation so quickly (and discretely) and you ended up enjoying the meal at Chez Francois – stress free!

[1] As with any tools, the LCE and PVS must be configured properly to enable user activity monitoring. In addition, Windows Local Security Policy must be configured to audit various system activity events. It is also assumed that both user activity monitoring and real-time PVS events are enabled as described in the corresponding product user guides.